Medium PCSE practice questions
Applied — put a concept to work in a realistic situation. 122 medium questions available — no sign-up, always free.
A financial services company operating under strict regulatory requirements must ensure that no Google support or engineering personnel can access their customer data unless the company's own security team has explicitly granted permission for each access request. They already have Access Transparency logs enabled but want to move from passive visibility to active pre-authorization. Which capability should they configure to meet this requirement?
A financial services company must document to their auditors that all Google personnel access to their production data is logged. Their compliance team wants to enable Access Transparency logs across the organization. During the enablement review, the security engineer discovers that Access Transparency is not available to activate for the organization. What is the most likely prerequisite the company has not met?
A financial services company is preparing documentation for an external auditor who is assessing the organization's ability to demonstrate oversight of any Google personnel access to customer content. The security team has already enabled Cloud Audit Logs (Admin Activity and Data Access). The auditor specifically asks for evidence showing when Google support or engineering staff accessed customer content, along with the justification for that access. Which action provides the required evidence?
A financial services company must demonstrate to auditors that they have visibility into any actions Google Cloud support or engineering personnel take on their data, and that such access requires explicit organizational sign-off before it occurs. The compliance team has already enabled Access Transparency logs across the organization. During an audit rehearsal, they realize they cannot show evidence that Google personnel access was ever gated on their own approval. Which additional capability should they enable to meet the requirement that Google personnel access be explicitly authorized by the organization before it happens?
A healthcare organization runs regulated workloads in an Assured Workloads folder configured for a US-based compliance regime. During a routine audit, the compliance team must demonstrate to regulators that Google support and engineering personnel cannot access customer content without a documented business justification, and that any such access is logged with a reason code. Which capability should the team point to as evidence of this control?
A healthcare company runs regulated workloads in an Assured Workloads folder configured for a specific compliance regime. The compliance team needs an automated way to be alerted when a resource is created or modified in a way that violates the Assured Workloads controls (for example, a resource deployed outside the approved region), so they can document and remediate the drift. Which capability should they use?
A financial services company already runs several production projects in a Google Cloud organization. New regulations now require that a subset of these workloads meet a specific compliance regime with strict data residency and personnel access controls. The security team wants to bring these workloads under Assured Workloads with the least effort while ensuring compliance controls are actually enforced. What is the correct approach?
A U.S. federal contractor must run a new workload on Google Cloud under FedRAMP Moderate authorization. During planning, an engineer proposes using an Assured Workloads folder configured for the FedRAMP Moderate control package. A developer asks to deploy a Google Cloud service that is NOT on the list of products supported by that Assured Workloads compliance regime. What is the correct guidance for maintaining compliance within the Assured Workloads folder?
A US federal contractor must run a new workload in Google Cloud that handles Controlled Unclassified Information (CUI). Compliance requires that the data remain within US regions, that only US-based Google support personnel who have passed government background checks can access the environment, and that the control package aligns with the DoD Impact Level 4 (IL4) framework. The security team wants Google to enforce these constraints programmatically at folder creation rather than relying on manually applied org policies. What should they do?
A financial services company must demonstrate to auditors that all administrative configuration changes to Google Cloud resources over the past 18 months can be produced on demand. The compliance team discovers that Admin Activity audit logs are being relied upon for this evidence, but is concerned they will not satisfy the 18-month retention requirement. Which action correctly addresses this concern while minimizing operational overhead?
A financial services company must be able to prove exactly which principals read the contents of sensitive objects in a specific Cloud Storage bucket during forensic investigations. During a recent incident, the security team discovered that Cloud Logging showed no records of object reads, only administrative changes to the bucket configuration. They need read operations to be captured going forward with minimal blast radius. What should the team configure?
A financial services company must demonstrate to auditors that all reads and writes to a specific set of BigQuery datasets holding regulated customer data are logged, without incurring the cost and volume of enabling Data Access logs across every service in the organization. Their compliance mandate applies only to those datasets. What is the recommended approach to configure Data Access audit logs to satisfy this requirement efficiently?
A compliance auditor asks your team to demonstrate which Cloud Audit Logs categories are always captured for a GCP organization without any administrator action to enable them, and which cannot be disabled. During a review, a security engineer claims that all audit log types must be explicitly enabled before they generate entries. Which statement correctly describes the default and configurability behavior of Cloud Audit Log types that you should document for the auditor?
Your organization runs production workloads on a GKE cluster. Security policy requires that only container images built by the approved Cloud Build pipeline and scanned for vulnerabilities may be deployed. Developers must not be able to deploy arbitrary images pulled from public registries or built on their laptops. You need to enforce this at deploy time on the cluster. What should you implement?
A company runs microservices on Cloud Run. The security team wants to guarantee that only container images built by the organization's trusted Cloud Build pipeline and stored in a specific Artifact Registry repository can be deployed to production Cloud Run services. Developers must not be able to deploy arbitrary public images. What is the most effective way to enforce this deployment control?
A retail company exposes a public web application through an external HTTP(S) load balancer. Recently, the application was targeted by SQL injection attempts and a volumetric flood of malicious requests from a handful of specific IP ranges. The security team wants to block the known bad IP ranges, mitigate common OWASP Top 10 attacks like SQL injection, and rate-limit abusive clients — all without modifying application code. Which approach should they implement?
A retail company exposes a public web application behind a global external Application Load Balancer. The security team must ensure that only traffic originating from the corporate offices' well-known egress IP ranges can reach the application, while all other public traffic is blocked at the network edge before hitting the backends. The list of corporate IP ranges is large and changes periodically as new offices open. Which approach best meets these requirements while minimizing maintenance overhead?
A retail company runs a public API behind a global external Application Load Balancer. During flash sales, a small number of client IPs generate a massive volume of legitimate-looking requests that overwhelm backends, but the company does not want to fully block these clients — only slow them down when they exceed a fair usage threshold. Which Cloud Armor configuration meets this requirement?
Your organization uses Cloud Build to deploy applications to production Cloud Run services. The security team requires that any deployment targeting the production environment must be manually reviewed and explicitly approved by an authorized release manager before it executes, while builds to staging should continue to run automatically. You need to implement this control natively within the CI/CD pipeline with an auditable record of who approved each production deployment. What should you do?
Your organization runs CI/CD pipelines in Cloud Build to deploy applications to Cloud Run. A recent security review found that the pipelines use the default Cloud Build service account, which has broad Editor-level permissions across the project. A malicious commit could therefore let a build step create resources or modify IAM policies far beyond deployment needs. The security team wants to reduce the blast radius of a compromised build while keeping deployments functional. What is the most appropriate action?
A financial services company runs its container build pipeline in Cloud Build, pushing images to Artifact Registry. Auditors require cryptographic proof of how each image was built, including the source commit and build steps, so that downstream Binary Authorization policies can verify that images originate only from the trusted pipeline. The security team wants to enable this evidence with minimal custom tooling. What should they do?
A financial services company must comply with a regulatory requirement that all cryptographic keys protecting customer payment data be generated and stored in hardware validated to FIPS 140-2 Level 3. The security team wants to use Cloud KMS to manage these keys but must ensure the private key material never exists outside a certified hardware boundary and cannot be exported. Which approach meets these requirements with the least operational overhead?
A company uses Okta as its primary identity provider and Google Cloud with Cloud Identity for its cloud resources. The security team wants new employees added in Okta to be automatically created as Cloud Identity users, and departing employees to be automatically suspended in Cloud Identity when disabled in Okta — all without deploying or maintaining any server infrastructure on-premises. Which approach should they implement?
A financial services company uses Cloud Identity as its identity provider and has hundreds of employees who frequently change roles between the 'Data Analysts', 'Data Engineers', and 'Auditors' teams. The security team is frustrated because IAM bindings are granted directly to individual user accounts, causing access drift and lengthy offboarding when people move teams. They want a scalable approach that lets access follow team membership and simplifies audits. What should they implement?
Your organization already manages employee identities in an on-premises Active Directory and a third-party identity provider (Okta) that supports SAML 2.0. Leadership wants employees to sign in to Google Cloud using their existing Okta credentials, and wants Okta to remain the authoritative source for authentication. You must ensure that when users authenticate, they are redirected to Okta and that Google Cloud does not store or validate their passwords. What should you configure?